Using botnets to do SIP scanning

The lastest week there has been a tremendous SIP scanning from IPs all over the world latest week. The scannings are coming from a lot of IPs but the same signature, so it is probably only one person/firm behind this.

6 responses to “Using botnets to do SIP scanning”

I can second this. Our network is one of the targets of this scanning. Since it started, we have about 30000 extra connections registered on our firewall. It has a default udp lifetime of 2 minutes, so we have more than 30000 sip scans every second for the moment…

It is possible to use ACL’s, but the scans are now coming from all over the Internet. You could install software that works like a bouncer for unwanted SIP messages. It will analyse the SIP message, and according to your rules, it will not accept SIP scans, just your regular SIP User Agents.